Re: [PATCH v2 1/4] Add SELinux policy for virt
On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
From: Nikola Knazekova <nknazeko(a)redhat.com>
SELinux policy was created for:
Hypervisor drivers:
- virtqemud (QEMU/KVM)
- virtlxcd (LXC)
- virtvboxd (VirtualBox)
Secondary drivers:
- virtstoraged (host storage mgmt)
- virtnetworkd (virtual network mgmt)
- virtinterface (network interface mgmt)
- virtnodedevd (physical device mgmt)
- virtsecretd (security credential mgmt)
- virtnwfilterd (ip[6]tables/ebtables mgmt)
- virtproxyd (proxy daemon)
SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't
able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC
messages are reproduced internally and policy for these drivers is made.
Signed-off-by: Nikola Knazekova <nknazeko(a)redhat.com>
---
libvirt.spec.in | 64 ++
I'd suggest just removing these parts of the patch, since
we're changing it again twice in later patches.
Just add the RPM spec changes attime you add the meson
build rules.
This patch can just be the policy file import
selinux/virt.fc | 111 +++
selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++
selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++
Put these into $GIT/src/security/selinux, since that's alongside
where we store the apparmor policy.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|